Python
CVE-2026-34531
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 114 pypi packages depend on flask-httpauth (95 direct, 19 indirect)
Ecosystem-wide dependent count for version 4.8.1.
DescriptionGitHub Advisory
Summary
In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.
Notes
- This issue applies only to token authentication
- This issue applies only when the application verifies tokens by searching for them in a user database.
- This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to
NULLinstead. - Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.
- Basic and Digest authentication are not affected by this issue.
Remediation
To protect against this issue, developers should make sure that no user in the user database has their token set to an empty string. If there are such users, change the value of those tokens to NULL instead.
Alternatively, developers can upgrade their projects to Flask-HTTPAuth>=4.8.1, which fixes this issue.
AnalysisAI
Flask-HTTPAuth versions prior to 4.8.1 allow authentication bypass when applications store empty string tokens in their user database, enabling unauthenticated attackers to authenticate as any user with an empty token set by submitting requests without a token or with an empty token value. This affects only token-based authentication mechanisms that verify tokens via database lookup rather than cryptographic means (e.g., JWTs). CVSS score 6.5 reflects moderate integrity impact with low computational attack complexity, and no public exploit code has been identified at the time of analysis.
Technical ContextAI
Flask-HTTPAuth is a Python library that provides authentication decorators for Flask applications. The vulnerability exists in the token authentication verification flow where the library invokes the application's token verification callback with an empty string when no token or an empty token is provided in the request. The root cause is inadequate validation of token values before database lookup (CWE-287: Improper Authentication). Applications that use Flask-HTTPAuth's token_auth decorator with a custom verification callback that searches a user database for matching tokens are vulnerable if they store empty strings as sentinel values for users without assigned tokens, rather than using NULL or other non-empty defaults. The vulnerability does not affect JWT-based token verification or basic/digest authentication mechanisms, as these employ different validation logic.
RemediationAI
Vendor-released patch: Flask-HTTPAuth>=4.8.1. Applications using prior versions should either upgrade to version 4.8.1 or immediately remediate affected deployments by scanning the user database and replacing any empty string token values with NULL or a non-empty sentinel value (e.g., a UUID or specific placeholder string). Additionally, application developers should review their token verification callback implementations to add explicit validation that rejects empty token strings before database queries. See the GitHub security advisory at https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg for additional context and the upstream repository at https://github.com/miguelgrinberg/Flask-HTTPAuth for upgrade instructions.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-p44q-vqpr-4xmg